Router WAN double with SSL VPN inaccessible for customers

I have a configured in a Dual WAN setup Cisco 888. There is an ADSL link connected to the VLAN 100 and a SDSL link associated with the Dialer0. The customer wishes to use the ADSL link to the normal navigation and external SSL VPN users to complete on the SDSL connection. I tried to configure the link failover for the ADSL SDSL.

What works:

-Access to the Internet for clients the

What does not work:

-The ADSL SDSL connection failover.

-Access SSL VPN for customers. Surf to the external IP address will cause only a page by default HTTP. Specification webvpn.html results in a 404 not found error.

Here is my configuration:

version 15.0

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

host name x

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 x

!

AAA new-model

!

!

AAA authentication login local sslvpn

!

!

!

!

!

AAA - the id of the joint session

iomem 10 memory size

!

Crypto pki trustpoint TP-self-signed-3964912732

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3964912732

revocation checking no

rsakeypair TP-self-signed-3964912732

!

!

TP-self-signed-3964912732 crypto pki certificate chain

self-signed certificate 03

x

quit smoking

IP source-route

!

!

IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.10.10 192.168.10.20

!

DHCP IP CCP-pool

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

DNS-server 213.75.63.36 213.75.63.70

Rental 2 0

!

!

IP cef

no ip domain search

property intellectual name x

No ipv6 cef

!

!

udi pid CISCO888-K9 sn x license

!

!

username secret privilege 15 ciscoadmin 5 x

username password vpnuser 0 x

!

!

LAN controller 0

atm mode

Annex symmetrical shdsl DSL-mode B

!

interface Loopback1

Gateway SSL dhcp pool address description

IP 192.168.250.1 255.255.255.0

!

interface Loopback2

Description address IP VPN SSL

IP 10.10.10.1 255.255.255.0

route PBR_SSL card intellectual property policy

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

Multidrop ISDN endpoint

!

ATM0 interface

no ip address

load-interval 30

No atm ilmi-keepalive

PVC KPN 2/32

aal5mux encapsulation ppp Dialer

Dialer pool-member 1

!

!

interface FastEthernet0

switchport access vlan 100

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

LAN description

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1300

!

interface Vlan100

Description KPN ADSL 20/1

DHCP IP address

NAT outside IP

IP virtual-reassembly

!

interface Dialer0

Description KPN SDSL 2/2

the negotiated IP address

IP access-group INTERNET_ACL in

NAT outside IP

IP virtual-reassembly

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP pap sent-username password 0 x x

No cdp enable

!

IP local pool sslvpnpool 192.168.250.2 192.168.250.100

IP forward-Protocol ND

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

pool nat SSLVPN SDSL 10.10.10.1 IP 10.10.10.1 netmask 255.255.255.0

IP nat inside source static tcp 10.10.10.1 443 interface Dialer0 443

IP nat inside source static tcp 10.10.10.1 80 Dialer0 80 interface

IP nat inside source overload map route NAT_ADSL Vlan100 interface

IP nat inside source overload map route NAT_SDSL pool SSLVPN SDSL

IP route 0.0.0.0 0.0.0.0 x.x.x.x

IP route 0.0.0.0 0.0.0.0 Dialer0 10

!

INTERNET_ACL extended IP access list

Note: used with CBAC

allow all all unreachable icmp

allow icmp all a package-too-big

allow icmp all once exceed

allow any host 92.64.32.169 eq 443 tcp www

deny ip any any newspaper

Extended access LAN IP-list

permit ip 192.168.10.0 0.0.0.255 any

refuse an entire ip

!

Dialer-list 1 ip protocol allow

not run cdp

!

!

!

!

NAT_SDSL allowed 10 route map

match the LAN ip address

match interface Dialer0

!

NAT_ADSL allowed 10 route map

match the LAN ip address

match interface Vlan100

!

PBR_SSL allowed 10 route map

set interface Dialer0

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

max-task-time 5000 Planner

!

WebVPN MyGateway gateway

hostname d0c

IP address 10.10.10.1 port 443

redirect http port 80

SSL trustpoint TP-self-signed-3964912732

development

!

WebVPN install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1

!

WebVPN install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2

!

WebVPN install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3

!

WebVPN context SecureMeContext

title "SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

SSL authentication check all

!

login message "VPN".

!

Group Policy MyDefaultPolicy

functions compatible svc

SVC-pool of addresses "sslvpnpool."

SVC Dungeon-client-installed

Group Policy - by default-MyDefaultPolicy

AAA authentication list sslvpn

Gateway MyGateway

development

!

end

Any suggestions on where to look?

Hello

It works for me. When the client tries to resolve the fqdn for the domain specified in "svc split dns.." he will contact the DNS server assigned through the Tunnel. For all other questions, he contacts the DNS outside the Tunnel.

You can run a capture of packets on the physical interface on the Client to see the query DNS leaving?

Also in some routers, DNS is designated as the router itself (who is usually address 192.168.X.X), if you want to make sure that assigned DNS server doesn't not part of the Split Tunnel.

Naman

Tags: Cisco Security

Similar Questions

  • SSL VPN license for ASA

    It must be an easy question - but I'm having a hard time finding an answer. How are the SSL VPN to the end user a license?

    Let's say I have 300 users, SSL, but only 20 concurrent SSL at any time. Do I need licenses for the 300 full or 20 competitors?

    Thank you

    Jim

    Hey Jim,.

    SSL licenses for only simultaneous connections. The only limitation you will encounter is how SSL sessions each platform supports (i.e. 750 concurrent sessions on an ASA5520).

  • How SSL VPN packages for two ASAs clustered licenses

    Hi all!

    If I have installed two Cisco ASA 5550 (ASA5550-BUN-K9) in failover mode, which I know support only 2 concurrent sessions of SSL VPN and you want to upgrade my boxes to support 15 AnyConnect SSL VPN sessions, how many licenses packages I need to buy?

    An ASA5500-SSL-25 for both boxes or two ASA5500-SSL-25 for one per box?

    Depends on what version of ASA you are running.

    If you are running version 8.3 and above, then you just buy 1 ASA5500-SSL-25 for a failover pair and it would work. If you buy 2 ASA5500-SSL-25, one license per box in failover pair, then the license gets grouped into 50 SSL user license.

    Here is the license information for ASA version 8.3 for failover pair:

    http://www.Cisco.com/en/us/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1315746

    For ASA running version 8.2 and below, you are required to buy 2 ASA5500-SSL-25 (one of each ASA in the failover pair) as the license should be exactly the same for the pair to failover to work, in the earlier version of the SAA.

    Hope that makes sense.

  • Need help with native VPN client for Mac to the Configuration of the VPN router RV082

    Guys,

    I am trying to set up router RV082 VPN Client with native Mac for my remote access. However, no matter what I did, I'm not able to make works. Can any give me an example of how to set my router RV082 and Mac Book Pro (Mountain Lion)?

    Thank you

    Hi Jixian, the native client MAC does not work. The IPSEC VPN client is the same as the 5.x Cisco VPN client is not supported on this device.

    Your alternatives are to use PPTP or a 3rd party IPsec client such as ipsecuritas.

    -Tom
    Please evaluate the useful messages

  • Site to site VPN with the VPN Client for both sites access?

    Current situation:

    Scenario is remote to the main office. Site IPSEC tunnel site (netscreen) remote in hand (506th pix). Cisco VPN Client of main office of remote access to users.

    It's that everything works perfectly.

    Problem:

    Now we want remote users who connect to the seat to also be able to access resources in the remote offices.

    This seems like it would be easy to implement, but I can't understand it.

    Thanks in advance.

    Rollo

    ----------

    #10.10.10.0 = Network1

    #10.10.11.0 = Network2

    #172.16.1.0 = vpn pool

    6.3 (4) version PIX

    access-list 101 permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

    access-list 101 permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

    splitTunnel 10.10.10.0 ip access list allow 255.255.255.0 any

    splitTunnel ip 10.10.11.0 access list allow 255.255.255.0 any

    access-list 115 permit ip any 172.16.1.0 255.255.255.0

    access-list 116 allow ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0

    IP access-list 116 allow all 10.10.11.0 255.255.255.0

    access-list 116 allow ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0

    ICMP allow all outside

    ICMP allow any inside

    Outside 1500 MTU

    Within 1500 MTU

    IP address outside 209.x.x.x 255.255.255.224

    IP address inside 10.10.10.1 255.255.255.0

    alarm action IP verification of information

    alarm action attack IP audit

    IP local pool 172.16.1.0 vpnpool - 172.16.1.50

    Global 1 interface (outside)

    Global (outside) 10 209.x.x.x 255.255.255.224

    (Inside) NAT 0-list of access 101

    NAT (inside) 10 10.10.10.0 255.255.255.0 0 0

    Access-group outside_access_in in interface outside

    Route outside 0.0.0.0 0.0.0.0 209.x.x.x 1

    Timeout xlate 01:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

    Timeout, uauth 0:05:00 absolute

    enable floodguard

    Permitted connection ipsec sysopt

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    crypto dynamic-map Clients_VPN-dynmap 10 transform-set RIGHT

    35 Myset1 ipsec-isakmp crypto map

    correspondence address 35 Myset1 map cryptographic 116

    card crypto Myset1 35 counterpart set x.x.x.x

    card crypto Myset1 35 set transform-set Myset1

    Myset1 card crypto ipsec 90-isakmp dynamic dynmap Clients_VPN

    client configuration address card crypto Myset1 launch

    client configuration address card crypto Myset1 answer

    interface Myset1 card crypto outside

    ISAKMP allows outside

    ISAKMP key * address x.x.x.x 255.255.255.255 netmask No.-xauth-no-config-mode

    ISAKMP identity address

    ISAKMP nat-traversal 20

    part of pre authentication ISAKMP policy 15

    ISAKMP policy 15 3des encryption

    ISAKMP policy 15 sha hash

    15 1 ISAKMP policy group

    ISAKMP duration strategy of life 15 28800

    part of pre authentication ISAKMP policy 20

    ISAKMP policy 20 3des encryption

    ISAKMP policy 20 chopping sha

    20 2 ISAKMP policy group

    ISAKMP duration strategy of life 20 3600

    part of pre authentication ISAKMP policy 25

    encryption of ISAKMP policy 25

    ISAKMP policy 25 md5 hash

    25 2 ISAKMP policy group

    ISAKMP living 25 3600 duration strategy

    part of pre authentication ISAKMP policy 30

    ISAKMP policy 30 aes-256 encryption

    ISAKMP policy 30 sha hash

    30 2 ISAKMP policy group

    ISAKMP duration strategy of life 30 86400

    vpngroup address vpnpool pool mygroup

    vpngroup dns-server dns1 dns2 mygroup

    vpngroup mygroup wins1 wins2 wins server

    vpngroup mygroup by default-domain mydomain

    vpngroup split splitTunnel tunnel mygroup

    vpngroup idle time 64000 mygroup

    mygroup vpngroup password *.

    Telnet timeout 5

    dhcpd lease 3600

    dhcpd ping_timeout 750

    dhcpd outside auto_config

    Hi Rollo,

    You can not be implemented for a simple reason, it is not supported on the version 6.x PIX. It relies on the PIX 7.x worm but 7.x is not supported on PIX 506. Thus, in a Word, it can be reached on a PIX 506. If you have an ASA, a PIX 515 running 7.x, a router or a hub as well, it can be reached.

    HTH,

    Please rate if this helps,

    Kind regards

    Kamal

  • SSL VPN may be configured on the router from Cisco 881/K9?

    I'm now confused if SSL VPN can be configured on the router from Cisco 881/K9.

    Please someone advise me.

    If Yes, for only 5 users, what I need to buy the license or license is supplied with the router?

    Thank you.

    Yes, and you need a license:

    FL-WEBVPN-10-K9

    License SSL VPN functionality for up to 10 users (incremental), to 12.4 T based only IOS versions

    FL-SSLVPN10-K9

    License SSL VPN functionality for up to 10 users (incremental) for the only based 15.x IOS versions

  • ASA SSL VPN with RSA authentication

    All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?

    Thank you

    Try this link

    http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html

  • ACL rule does not work after the SSL VPN connection

    Hello

    I have the following configuration:

    -VLAN LAN (192.168.5.0/24)

    -VLAN WLAN (192.168.20.0/24)

    -SSL VPN VLAN (192.168.200.0/24)

    Default policy denies access to the local network. If the value rule ACL to allow traffic between WLAN and LAN. Works very well.

    Now I connect with AnyConnect and access resources on the network VLAN. Works.

    After you have disconnected the VPN I can't access the LAN to WLAN VLAN. If I disable the ACL rule and turn it back on, it works again until someone connects with SSL VPN.

    I use firmware 1.2.15. Any ideas when this bug fixed?

    Kind regards

    Simon

    HI Simon,.

    This bug will be fixed in 1.2.16.

    I don't know the exact date for the release.

    But it should be out soon. If you need the fix sooner,

    Please open a case of pension.

    Kind regards

    Wei

  • SSL VPN without disabled in ASA5505 after the Activation of the AnyConnect client

    Hello everyone,

    I am facing a problem with the VPN service in ASA 5505. Initially, I was using SSL VPN without customer who was working absolutely fine, no problem. Recently I bought AnyConnect Essentials License with license AnyConnect VPN, Mobile (for focusing on the Client SSL VPN Service for desktop and mobile respectively) and have activated these keys inside of the firewall. After that I may be able to connect to based on the VPN Client, using the AnyConnect client. Clientless VPN access is not allowing you to connect and displays an error (see the attached screenshot).

    I created two VPN profiles Viz, basic (for clientless VPN) and rvsvpn (for client based VPN). Download the AnyConnect Client I can connect to the rvsvpn profile. But if I try to connect using the basic profile, it throws an error has been to what is displayed in the exhibition.

    Please help me in this regard, as what can be done to use both the vpn connection profile. Or what the use of AnyConnect disables client access?

    Waiting for your help.

    Thanks in advance.

    Samrat.

    "Anyconnect essentials" in your configuration command to disable all profiles without customer (as well as other features that require the Premium license).

    Essentials and Premium are mutually exclusive as the performance of duties. You can have both installed licenses, but only use one or the other (and never both at once) in your running configuration.

  • ASA 5500 SSL VPN Failover license

    Hello

    I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

    His question is:

    Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

    This would also be true for two security contexts that are included with the firewall?

    For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

    Here is my response to his request:

    Based on this link (http://www.cisco.com/en/US/partner/docs/security/asa/asa83/license_standalone/license_management/license.html#wp1449664)

    It was mentioned that:

    "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

    It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

    Thanks in advance!

    Ice Flancia

    Cisco partner Helpline Tier 2 team

    Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

    2 SSL included license on SAA in failover pair is combined as 4 license SSL.

    2 license of background on ASA in failover pair is combined as license frame 4.

    Here's the URL on ASA combined license failover:

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1450094

    Hope that helps.

  • SSL VPN from Cisco ASA and ACS 5.1 change password

    Dear Sir.

    I am tring configure ASA to change the local password on ACS 5.1. When the user access with ssl vpn if the ACS 5.1 password expiration date. ASA will display the dialog box or window popup to change the password. But it does not work. I'm tring to Setup with the functionality of password management on the SAA. When I enable password management it will not work and is unable to change the password. Could you tell me about this problem?

    Thank you

    Aphichat

    

    Dear Sir,
    

    I'm tring to setup ASA to change local password on ACS 5.1. When user access with ssl vpn if password on ACS 5.1 expire. ASA will show dialog box or pop-up to change password. But It don't work. I'm tring to setup with password management feature on ASA . When I enable password management it don't work and can't to change password. Could you advise me about this problem?
    

    Thank you
    

    Aphichat

    Hi Aphichat,

    Go to the password link below change promt via AEC in ASA: -.

    https://supportforums.Cisco.com/docs/doc-1328;JSESSIONID=A51E68318579261787BD60DDA0707819. Node0

    Hope to help!

    Ganesh.H

    Don't forget to note the useful message

  • ASA 5520 - SSL VPN (Anyconnect) licenses

    Hello

    Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium.  Our current license looks like this:

    The devices allowed for this platform:
    The maximum physical Interfaces: unlimited
    VLAN maximum: 150
    Internal hosts: unlimited
    Failover: Active/active
    VPN - A: enabled
    VPN-3DES-AES: enabled
    Security contexts: 2
    GTP/GPRS: disabled
    SSL VPN peers: 2
    Total of the VPN peers: 750
    Sharing license: disabled
    AnyConnect for Mobile: disabled
    AnyConnect Cisco VPN phone: disabled
    AnyConnect Essentials: disabled
    Assessment of Advanced endpoint: disabled
    Proxy sessions for the UC phone: 2
    Total number of Sessions of Proxy UC: 2
    Botnet traffic filter: disabled

    This platform includes an ASA 5520 VPN Plus license.

    I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

    I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect.  The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

    Thank you

    Rob

    Hello

    The essentials license is per device and does not allow full-tunnel.

    If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

    http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

    Federico.

  • Routing IP will on SAA for SSL VPN

    I have a question let internal DHCP network is 192.168.0.0 and if you configure SSL VPN on ASA to assign the ip address of 10.0.0.0 network routing where must be configured so that the customer can route between network?

    2 lets say im using im 192.168.10.0/.20.0/.30.0 my network if I place ASA to assign 30.0 will be ther be conflict DHCP? or ASA DHCP will ONLY respond outside requests? (I mean Anyconnect)

    Hello

    You don't have to use a dynamic routing protocol if you need / want. In a simple network you could just use static routes.

    That is the way that manage you routing I don't think it really changes the configuration at all.

    This of course provided that the ASA is the default route outside of your network. Then all traffic to the networks VPN pool naturally would be always accessible from the local network as the default route would already be transfer all traffic to networks outside the local network to the ASA.

    However if the ASA is not device gateway for all Internet traffic on your network then you will need to manage the routing so that the networks/subnets used as the VPN pools would be routed to the ASA on the local network.

    -Jouni

  • IP NAT on the router on SSL - VPN appliance

    Someone at - it allows to transmit 443/SSL on a SSL VPN Cisco 891 - K9 unit?

    (I have never encountered this situation before as the router VPN terminated public face directly or we had several IPs public to assign the VPN device directly a public IP address).

    With ' ip nat inside source static tcp 44.55.66.255 443 10.10.10.150 443 extensible "is supposed to pass the SSL request to the appliance SSL VPN to 10.10.10.150 to have VPN applications ended here.

    But failed miserably body 891 - K9 created a virtual ARP entry for 10.10.10.150. So two MACs with the same IP address.

    So 443 requests were sent to its interface. At the hearing of NAT, I can't ssh inside SSL - VPN, but by the time the statemet disappeared, I can ssh and warning dupliacte ARP goes.

    * 1 Nov 19:22:46.871: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
    * 1 Nov 19:23:18.083: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
    * 1 Nov 19:23:48.295: % IP-4-DUPADDR: duplicate address 10.10.10.150 on Vlan10, a source of aaaa.bbbb.cccc
    RTR #sh clock
    * 19:24:26.487 UTC Sunday, November 1, 2015
    RTR #sh ip arp 10.10.10.150
    Protocol of age (min) address Addr Type Interface equipment
    Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
    RTR #sh ip arp 10.10.10.150
    Protocol of age (min) address Addr Type Interface equipment
    Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
    RTR #sh sh ip route 10.10.10.150

    Cisco TAC to reproduce this problem at the moment to report dev.

    Does anyone else have this problem or a workaround?

    Thank you.

    I may be misunderstanding but isn't your NAT statement backwards IE. If you want traffic to pass to 10.10.10.150 it shouldn't be-

    ' ip nat inside source static tcp 10.10.10.150 43 43 44.55.66.25x.

    isn't the device for SSL connection on interface 'ip nat inside '?

    Jon

  • Bypass the router upstream company ACL with IPSEC VPN

    Hello

    My headquarters has a routing infrastructure company. I want to configure a Site VPN to IPSEC as a solution of webvpn AnyConnect for my users through the company. If the security guys to create an ACL on the router upstream from my Cisco ASA 5585 to allow IPSEC between 28 (the stretch between my external interface of ASA and the trunk of PO on the upstream router) then I can send ip a whole between my inside interface subnet and subnet within the interface on the ASA distant (still on the company's infrastructure holding constant and correct routing. In short, if a packet is encrypted in an IPSEC packet, IPSEC is not filtered, you can send any traffic, even if it is AS restrictive on a router upstream of the LCA, correct?

    Thank you!

    Matt

    CCNP

    You are right, the router can not look in the VPN package. So anything that is transported inside the VPN, it bypasses security company-ACL.

    For VPN traffic to your ASA, you need the following protocols/ports:

    1. UDP/500, UDP4500, IP/50 for IPsec
    2. UDP/443 for AnyConnect with SSL/TLS, TCP/443

Maybe you are looking for